Fast and Loose Reasoning is Morally Correct 


Nils Anders Danielsson John Hughes Jeremy Gibbons 

Patrik Jansson Oxford University Computing Laboratory 

Chalmers University of Technology Jeremy.Gibbons@comlab.ox.ac.uk 

(nad,rjmh,patrikj}@cs.chalmers.se 


Abstract 

Functional programmers often reason about programs as if 
they were written in a total language, expecting the results 
to carry over to non-total (partial) languages. We justify 
such reasoning. 

Two languages are defined, one total and one partial, 
with identical syntax. The semantics of the partial language 
includes partial and infinite values, and all types are lifted, 
including the function spaces. A partial equivalence relation 
(PER) is then defined, the domain of which is the total 
subset of the partial language. For types not containing 
function spaces the PER relates equal values, and functions 
are related if they map related values to related values. 

It is proved that if two closed terms have the same 
semantics in the total language, then they have related 
semantics in the partial language. It is also shown that the 
PER gives rise to a bicartesian closed category which can be 
used to reason about values in the domain of the relation. 
Categories and Subject Descriptors F.3.1 [Logics and 
Meanings of Programs\: Specifying and Verifying and Rea¬ 
soning about Programs; D.3.2 [Programming Languages ]: 
Language Classifications—Applicative (functional) lan- 

General Terms Languages, theory, verification 
Keywords Equational reasoning, partial and total lan¬ 
guages, non-strict and strict languages, partial and infinite 
values, lifted types, inductive and coinductive types 

1. Introduction 

It is often claimed that functional programs are much easier 
to reason about than their imperative counterparts. Func¬ 
tional languages satisfy many pleasing equational laws, such 

curry o uncurry = id, (1) 
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(fst x, snd x) = x, and (2) 

fst {x, y) = x, (3) 

and many others inspired by category theory. Such laws 
can be used to perform very pleasant proofs of program 
equality, and are indeed the foundation of an entire school 
of program transformation and derivation, the Squiggolers 
[BdM96, Jeu90, BdBH + 91, MFP91]. There is just one prob¬ 
lem. In current real programming languages such as Haskell 
[PJ03] and ML [MTHM97], they are not generally valid. 

The reason these laws fail is the presence of the undefined 
value T, and the fact that, in Haskell, J_, Xx.l. and (J_,A| 
are all different (violating the first two laws above), while in 
ML\ T) and*fc| 2 /) are always the same (violating the 

third). 

The fact that these laws are invalid does not prevent 
functional programmers from using them when developing 
programs, whether formally or informally. Squiggolers hap¬ 
pily derive programs from specifications using them, and 
then transcribe the programs into Haskell in order to run 
them, confident that the programs will correctly implement 
the specification. Countless functional programmers happily 
curry or uncurry functions, confident that at worst they are 
changing definedness a little in obscure cases. Yet is this 
confidence justified? Reckless use of invalid laws can lead 
to patently absurd conclusions: for example, in ML, since 
(*, J_) = (y, J_) for any x and y, we can use the third law 
above to conclude that x = y, for any x and y. How do we 
know that, when transforming programs using laws of this 
sort, we do not, for example, transform a correctly termi¬ 
nating program into an infinitely looping one? 

This is the question we address in this paper. We call the 
unjustified reasoning with laws of this sort “fast and loose”, 
and we show, under some mild and unsurprising conditions, 
that its conclusions are “morally correct”. In particular, 
it is impossible to transform a terminating program into 
a looping one. Our results justify the hand reasoning that 
functional programmers already perform, and can be applied 
in proof checkers and automated provers to justify ignoring 
T-cases much of the time. 

In the next section we give an example showing how it 
can be burdensome to keep track of all preconditions when 
one is only interested in finite and total values, but is rea¬ 
soning about a program written in a partial language. Sec¬ 
tion 3 is devoted to defining the language that we focus 
on, its syntax and two different semantics: one set-theoretic 
and one domain-theoretic. Section 4 briefly discusses par¬ 
tial equivalence relations (PERs), and Section 5 introduces 
a PER on the domain-theoretic semantics. This PER is used 
to model totality. In Section 6 a partial surjective homomor¬ 
phism from the set-theoretic semantics to the quotient of the 





domain-theoretic semantics given by the PER is exhibited, 
and in Section 7 we use this homomorphism to prove our 
main result: fast and loose reasoning is morally correct. Sec¬ 
tion 8 provides a more abstract result, showing how the PER 
gives rise to a category with many nice properties which 
can be used to reason about programs. We go back to our 
earlier example and show how it fits in with the theory in 
Section 9. We also exhibit another example where reasoning 
directly about the domain-theoretic semantics of a program 
may be preferable (Section 10). Section 11 recasts the the¬ 
ory for a strict language, Section 12 discusses related work, 
and Section 13 concludes with a discussion of the results and 
possible future extensions of the theory. 

Most proofs needed for the development below are only 
sketched; full proofs are available from Danielsson’s web 
page [Dan05]. 

2. Propagating preconditions 

Let us begin with an example. Say that we need to prove 
that the function map (Xx.y + x) o reverse :: [Nat] —> [Nat] 
has a left inverse reverse o map ( Xx.x — y). (All code in 
this section uses Haskell-like syntax.) In a total language we 
would do it more or less like this: 

(reverse o map (Xx.x — y)) o (map (Xx.y + *) o reverse) 
= {map f o map g = map (fog), o associative} 
reverse o map ((Xx.x — y) o (Xx.y + x)) o reverse 
= {(Xx.x-y)o(Xx.y + x) = id} 
reverse o map id o reverse 
= {map id = id} 

reverse o id o reverse 
= {id o f = f, o associative} 
reverse o reverse 
= {reverse o reverse = id} 

Note the lemmas used for the proof, especially 

(Xx.x — y) o ( Xx.y + x) = id, and (4) 

reverse o reverse = id. (5) 

Consider now the task of repeating this proof in the 
context of some language based on partial functions, such 
as Haskell. To be concrete, let us assume that the natural 
number data type Nat is defined in the usual way, 

data Nat = Zero \ Succ Nat. (6) 

Note that this type contains many properly partial values 
that do not correspond to any natural number, and also a 
total but infinite value. Let us also assume that (+) and (—) 
are defined by 

(+) = fold Succ, and (7) 

(—) = fold pred, (8) 

where fold :: (a — * a) — > a — > Nat — ► a is the fold over 
natural numbers (fold s zn replaces all occurrences of Succ 
in n with s, and Zero with z), and pred :: Nat —> Nat is 
the predecessor function with pred Zero = Zero. The other 
functions and types are all standard [PJ03]; this implies 
that the list type also contains properly partial and infinite 
values. 

Given these definitions the property proved above is no 
longer true. The proof breaks down in various places. More 


to the point, both lemmas (4) and (5) fail, and they fail due 
to both properly partial values, since 
(Succ Zero + Succ _L) — Succ Zero = T ^ Succ T and (9) 
reverse (reverse (Zero : _L)) = T ^ Zero : _L, (10) 

and infinite values, since 

(fix Succ + Zero) — fix Succ |j^g| ^ Zero and (11) 

reverse (reverse (repeat Zero)) ^ repeat Zero. (12) 
(Here fix is the fixpoint combinator, i.e. fix Succ is the 
“infinite” lazy natural number. The application repeat x 
yields an infinite list containing only x.) Note that idof=f 
also fails, since we have lifted function spaces and id o 
Xx.A. _L, but that does not affect this example since 
reverse ^ _L. 

These problems are not surprising; they are the price you 
pay for partiality. Values that are properly partial and/or in¬ 
finite have different properties than their total, finite coun¬ 
terparts. A reasonable solution is to stay in the partial lan¬ 
guage but restrict our inputs to total, finite values. 

Let us see what the proof looks like then. We have to r\- 
expand our property, and assume that xs :: [Nat] is a total, 
finite list and that y :: Nat is a total, finite natural number. 
(Note the terminology used here: if a list is said to be total, 
then all elements in the list are assumed to be total as well, 
and similarly for finite values. The concepts of totality and 
finiteness are discussed in more detail in Sections 5 and 9, 
respectively.) We get 

((reverse o map (Xx.x — y)) 

o (map (Xx.y + x) o reverse)) xs 
= {map f o map g = map (fog), definition of o} 

reverse (map ((Xx.x — y) o (Xx.y + x)) (reverse xs)) 

• map f xs = map g xs if xs is total and f x = g x' j 

for all total x, J 

• reverse xs is total, finite if xs is, > 

• ((Xx.x — y) o ( Xx.y + x)) x = id x for total x and I 

total, finite y J 

reverse (map id (reverse xs)) 

= {map id = id} 

reverse (id (reverse xs)) 

= (definition of id} 
reverse (reverse xs) 

= {reverse (reverse xs) = xs for total, finite xs} 

Comparing to the previous proof we see that all steps 
are more or less identical, using similar lemmas, except for 
the second step, where two new lemmas are required. How 
did that step become so unwieldy? The problem is that, 
although we know that (Xx.x—y)o(Xx.y+x) = id given total 
input, and also that xs only contains total natural numbers, 
we have to manually propagate this precondition through 
reverse and map. 

One view of the problem is that the type system used 
is too weak. If there were a type for total, finite natural 
numbers, and similarly for lists, then the propagation would 
be handled by the types of reverse and map. The imaginary 
total language used for the first proof effectively has such a 
type system. 

On the other hand, note that the two versions of the 
program are written using identical syntax, and the semantic 
rules for the total language and the partial language are 







probably more or less identical when only total, finite (or 
even total, infinite) values are considered. Does not this 
imply that we can get the second result above, with all 
preconditions, by using the first proof? The answer is yes, 
with a little extra effort, and proving this is what many of 
the sections below will be devoted to. In Section 9 we come 
back to this example and spell out in full detail what “a 
little extra effort” boils down to in this case. 

3. Language 

This section defines the main language discussed in the text, 
ft is a strongly typed, monomorphic functional language 
with recursive (polynomial) types and their corresponding 
fold and unfold operators. Having only folds and unfolds is 
not a serious limitation; it is e.g. easy to implement primitive 
recursion over lists or natural numbers inside the language. 

Since we want our results to be applicable to reasoning 
about Haskell programs we include the explicit strictness 
operator seq, which forces us to have lifted function spaces in 
the domain-theoretic semantics given below. The semantics 
of seq is defined in Figure 6. We discuss the most important 
differences between Haskell and this language in Section 13. 

3.1 Static semantics 

The term syntax of the language, Ci, is inductively defined 
by 

t x | ti t 2 | Xx.t 
|seq | * 

I (,) I fst | snd (13) 

| ini|inr | case 

| in| out^F | in„F | out„F | foldF | unfoldF- 

The pairing function (,) can be used in a distfix style, as in 
(ti,t 2 ). The type syntax is defined by 

cr, t, 7 ::= cr -> t \ a x r | cr + t | 1 \yF\ vF (14) 


r(*) = * 


r[x^a]hf.r 


r\-x-.a T b Xx.t -.a^T 

V b ti : a -r r V t 2 : a 


r 

r 

r 

r 

r 

r 

r 

r 

r 


T \- tit 2 : r 


seq : cr —► r —> r 

T b fix : 

(cr ^ cr) —r a 

* : 1 


Tb(,): 

^T-(cxr) 

fst : (« 

7XT)^a 

Plb snd 

: (cr X t) -r T 

ini : cr 

-(u + r) 

Tb inr: 

r^(a + r) 

case : 

(o- + r) -> (a - 

-*• 7) -► (r 7) -► 7 

in M F : 

F g,F —> yF 

r b out,. 

,f : yF —> F yF 

in„F : 

F vF —> vF 

■'FT out,. 

, f : vF —> F uF 

foldF 

: (F cr —> cr) —i 

•/fF^ct 


unfoldF :(#■“# F cr). 

—> <7 —> vF 



Figure 1: Typing rules for C\ and C 2 . 


° Xfgx.f (g x) 

Id h-> Xf x.f x 
Ka^Xfx.X 

FxG^Xf a;.seq x (F f (fst x),G f (snd a:)) 
F + G^ A/*.case x (ini of/) (inr o G f) 

Figure 2: Syntactic sugar for terms. 


Id cr t—f a 
K t cr i—* t 

( FxG)a^FcrxGcr 
(F + G)<t\->Fo + Gct 


F, G ::= Id\K a \F x G\F + G. (15) 

The letters F and G range over functors; Id is the identity 
functor and K a is the constant functor with K a t = cr (in¬ 
formally) . The types yF and vF are inductive and coinduc- 
tive types, respectively. As an example, in the set-theoretic 
semantics introduced below y(Ki+Id ) represents finite nat¬ 
ural numbers, and v(K\ + Id) represents natural numbers 
extended with infinity. The type constructor —> is sometimes 
used right associatively, without explicit parentheses. 

In order to discuss general recursion we define the lan¬ 
guage C 2 to be Ci extended with 

f ::=... | fix. (16) 

However, whenever fix is not explicitly mentioned, the lan¬ 
guage discussed is Ci (or the restriction C\ of Ci introduced 
below). 

We only consider well-typed terms according to the typ¬ 
ing rules in Figure 1. To ease the presentation we also intro¬ 
duce some syntactic sugar for terms and types, see Figures 2 
and 3. 

3.2 Dynamic semantics 

Before we define the semantics of the languages we need 
to introduce some notation. We will use both sets and 


Figure 3: Syntactic sugar for types. 


pointed ^-complete partial orders (CPOs). For CPOs -± is 
the lifting operator, and (• —> •) is the continuous function 
space constructor. Furthermore, for both sets and CPOs, x 
is cartesian product, and + is separated sum; A+B contains 
elements of the form inl(a) with a £ A and inr(b) with 
b € B. The one-point set/CPO is denoted by 1, with * as 
the only element. The constructor for the (set- or domain- 
theoretic) semantic domain of the recursive type T, where 
T is yF or vF, is denoted by inr, and the corresponding 
destructor is denoted by outr (often with omitted indices). 
For more details about in and out, see below. Since we 
use lifted function spaces, we use special notation for lifted 
function application, 

f@X = {fx, otherwise. (17 ^ 

(This operator is left associative with the same precedence 
as ordinary function application.) Many functions used on 
the meta-level are not lifted, though, so @ is not used very 
much below. Finally note that we are a little sloppy, in that 
we do not write out liftings explicitly; we write (x, y) for a 
non-bottom element of (A x B)±, for instance. 







Now, two different denotational semantics are defined for 
the languages introduced above, one domain-theoretic ([•]) 
and one set-theoretic (((•))). (Note that when t is closed we 
sometimes use [i] as a shorthand for [t] p, and similarly 
for ((•)).) The domain-theoretic semantics is modelled on 
languages like Haskell and can handle general recursion. The 
set-theoretic semantics is modelled on total languages and 
is only defined for terms in Ci. In Section 7 we will show 
how results obtained using the set-theoretic semantics can 
be transformed into results on the domain-theoretic side. 

The semantic domains for all types are defined in Fig¬ 
ure 4. We define the semantics of recursive types by appeal¬ 
ing to category-theoretic work [BdM96, FM91]. For instance, 
the set-theoretic semantic domain of pF is the codomain of 
the initial object in F-Alg(SET). Here SET is the category 
of sets and total functions, and F-Alg(SET) is the category 
of F-algebras (in SET) and homomorphisms between them. 
The initial object, which is known to exist given our limita¬ 
tions on F, is a function in^F £ ((F pF —> pF}. The inverse 
of in^F exists and, as noted above, is denoted by out^F- Ini¬ 
tially of iri^F implies that for any function / £ ((F a —> cr)) 
there is a unique function fold F f £ (pF —> cr)) satisfying 
the universal property 

Vh € {pF -mt)) . h = fold F f <S> hoiripF = foF h. (18) 
This is how ((foldF)) is defined. To define ((unfoldF)) we go 
via the final object out„F in F-Coalg(SET) (the category of 
F-coalgebras) instead. The semantics of all terms are given 
in Figure 6. 

The domain-theoretic semantics lives in the category 
CPO of CPOs and continuous functions. To define [/uF], 
the category CPOj. of CPOs and strict continuous functions 
is also used. We want all types in the domain-theoretic 
semantics to be lifted (like in Haskell). To model this we 
lift all functors using L, which is defined in Figure 5. 

If we were to define [foldF] using the same method as 
for ((foldF)), then that would restrict its arguments to be 
strict functions. An explicit fixpoint is used instead. The 
construction still satisfies the universal property associated 
with folds if all functions involved are strict [FM91]. For 
symmetry we also define [unfoldF] using an explicit fixpoint; 
that does not affect its universality property. 

The semantics of fix is, as usual, given by a least fixpoint 
construction. 

We have been a little sloppy above, in that we have 
not defined the action of the functor K a on objects. When 
working in SET we let K„ A = ((cr)), and in CPO and CPO 
we let K a A = [cr]. Otherwise the functors have their usual 
meanings. 

4. Partial equivalence relations 

In what follows we will use partial equivalence relations, or 
PERs for short. 

A PER on a set S is a symmetric and transitive binary 
relation on S. For a PER R on S, and some x £ S with xRx, 
define the equivalence class of x as 


[a-r] = (H^[r]) ± 
[cr x r] = ([cr] x [r]) ± 
[a + r] = (H + [r]) ± 
[1] = lx 


«cr —> t)) = ((cr)) —> ((r» 
((cr x r> = ((cr)) x «r) 
((cr + r)) = ((cr)) + ((r)) 
(( 1 )) = 1 


if 7 —.T 1 _ 1 The codomain of the initial object in 

IlMl'll - | L(F)-Alg(CPOj_). 

// j-iw f The codomain of the initial object in 
((A-F)) = | T-Alg(SET). 

it ci _ / The domain of the final object in 
~ \F(F)-Coalg(CPO). 

((fF)) = { The domain of the final object in F-Coalg(SET). 
Figure 4: Semantic domains for types. 


all those in this paper. For example, given the PER defined 
in Section 5, we have that [inZ({c})] denotes the same 
equivalence class no matter which element in c is chosen. 

5. Moral equality 

We will now inductively define a family of PERs on the 
domain-theoretic semantic domains; with Rel(cr) = p([cr] 2 ) 
we will have ~<r£ Rel(a). (Here p(X) is the power set of X. 
The index cr will sometimes be omitted.) 

If two values are related by ~, then we say that they are 
morally equal. We use moral equality to formalise totality: 
a value x £ [cr] is said to be total iff a; £ dom(~ CT ). The 
intention is that if cr does not contain function spaces, then 
we should have x y iff x and y are equal, total values. 
For functions we will have / ~ g iff / and g map (total) 
related values to related values. 

The definition of totality given here should correspond to 
basic intuition. Sometimes another definition is used instead, 
where / £ [cr —> t] is total iff f@x = _L implies that x = _L. 
That definition is not suitable for non-strict languages where 
most semantic domains are not flat. As a simple example, 
consider [fst]; we will have [fst] £ dom(~), so [fst] is total 
according to our definition, but [fst]@(_L, _L) = _L. 

Given the family of PERs ~ we can relate the set- 
theoretic semantic values with the total values of the 
domain-theoretic semantics; see Sections 6 and 7. 

5.1 Non-recursive types 

The PER ~ CT _ 7 T is a logical relation, i.e. we have the follow¬ 
ing definition for function spaces: 

/ g & 

// -.*<// • A (20) 

V*, y £ [cr]. x~ a y => f@x ~ r g@y- 


[«] B = { y I V e S, xRy } . (19) 

(The index R is omitted below.) Note that the equivalence 
classes partition dom(R) = { x £ S \ xRx }, the domain of 
R. Let [R] denote the set of equivalence classes of R. 

For convenience we will use the notation {c} for an 
arbitrary element x £ c, where c is an equivalence class of 
some PER R C S 2 . This definition is of course ambiguous, 
but the ambiguity disappears in many contexts, including 


We need to ensure explicitly that / and g are non-bottom 
because some of the PERs will turn out to have _L £ dom(~) 
or dom(~) = 0. 

Pairs are related if corresponding components are related: 
y <£> llaii. yt £ [cr], x 2 ,y2 £ [r]. 

X = (xi,x 2 ) A y = (yi,y 2 ) A (21) 
xi yi A x 2 ~ T j/ 2 . 



L(Id) = Id 
L(K a ) = K a 

L(F x G) = (L(F) x L(G)) ± 
L(F + G) = (L(F) + L(G)) ± 

Figure 5: Lifting of functors. 


|*I P = p(x) 

(x))p = p(x) 

1*1*2] p = ([*1] p) ® ([*2] p) 

«M 2 »p=(«fi»p) «t„), 

[Az.f] p = Xv. [t] p[x 1 ► v] 

(Xx.t)) p = Xv. ((f)) p[x i-r 1 

[seq] = Am m.fr ^herfre M = Avi 

[fix] = Xf-UZof® 1 - 

((fix)) is not defined. 

w = * 

(*». = * 

[(,)] = Xviv 2 .(vi,v 2 ) 

(((,))) = At)l V 2 .(vi,v 2 ) 

l«*l = *«•{«, 

((fst)) = X( V 1 ,V 2 ). V1 


((snd)) = X(vi,v 2 ).v 2 

[ini] = A v.inl(v) 

((ini)) = A v.inl(v) 

[inr] = A v.inr(v) 

((inr)) = A v.inr(v) 

|X u 


[case] = Xvfif 2 .<fi@vi, v 

= inl(v 1) 

|/2 @V 2 , V 

= inr(v 2 ) 

((case)) = Xvfi f 2 .fr 

= inl(vi) 

= inr(v 2 ) 


[irV^J 

<«f» 

[0Uti/F ] 

((0Ut„jr) 

[fold,-] 

«f°ldF» 

[unfolds] 

((unfold,.-)) 


_ f The initial object in L(F)-Alg(CPOx), 

( viewed as a morphism in CPO. 

_ f The initial object in F-Alg(SET), viewed as 
( a morphism in SET. 

= f The final object in L(F)-Coalg(CPO), 

( viewed as a morphism in CPO. 

_ f The final object in F-Coalg(SET), viewed 
— | as a morphism in SET. 

= A/. [fix]@(A</./ o lFj@g o [out^]) 

{ The unique morphism in F-Alg(SET) 
from ((iriuF)) to /, viewed as a morphism 
in SET. 

= A/. [fix]@(A S . Iin„ F ]oIF]@ S o/) 

{ The unique morphism in F-Coalg(SET) 
from / to ((outi/_F)), viewed as a 
morphism in SET. 


Figure 6: Semantics of well-typed terms, for some context 
p mapping variables to semantic values. The se¬ 
mantics of in„F and out,, ,.- are the inverses of the 
semantics of out,,,.- and in,,,.-, respectively. 


Similarly, sums are related if they are of the same kind with 
related components: 

x -v+t y O 
(3*i,yi e H. 

* = inl(xi) A y = inl(yi) A xi y i) V (22) 

(3*2, t/2 € [r]. 

x = inr(x 2 ) A y = inr(y 2 ) A *2 2 / 2 ) • 

The value * of the unit type is related to itself and _L is not 
related to anything: 

!) (23) 

It is easy to check that what we have so far yields a family 
of PERs. 

5.2 Recursive types 

The definition for recursive types is trickier. Consider lists. 
When should one list be related to another? Given the in¬ 
tentions above it seems reasonable for xs to be related to 
ys whenever they have the same, total list structure (spine), 
and elements at corresponding positions are recursively re¬ 
lated. In other words, something like 

(xs = in ( inl (*)) A ys = in ( inl (*))) 

V (3 *,y € [a] , xs', ys' €. fp(Fi + (K a x Id))] . (24) 

xs = in (inr((x , *s'))) A ys = in (inr((y, ys'))) 



We formalise the intuition embodied in (24) by defining 
a relation transformer RT(F) for each functor F, 

RT(F) € Rel(pF) -► Rel(pF) 

RT(F)(X) = (25) 

{(in x, in y) \ (x,y) € RT' /iF (F)(X) } . 

The helper RT' a (F) is defined by 

RT’„(F) € Rel(a) -+ Rel(F a) 

RT’ a (Id)(X) = X 
RT' a (K T )(X) 

RT'v(F\ x F 2 )(X) = 



RT' a (F! + F 2 )(X) = 

{ (inl(x 1 ), inl( 2 / 1 )) | (* 1 , 2 / 1 ) e RT;(Fi)(X) } U 
{ (inr(x 2 ) , inr(y 2 )) | (* 2 , y 2 ) € RT' a (F 2 )(X) } . 


The relation transformer RT(F) is defined for inductive 
types. However, replacing pF with uF in the definition is 
enough to yield a transformer suitable for coinductive types. 

Now, note that RT(F) is a monotone operator on the 
complete lattice (Rel(pF ), C). This implies that it has both 
least and greatest fixpoints [Pri02], which leads to the fol¬ 
lowing definitions: 

x ~ m f y 4=> (x,y) € pRT(F) and (27) 

x y ** (x,y) € vRT(F). (28) 

These definitions may not be entirely transparent. If we 
go back to the list example and expand the definition of 




RT(K! + (K a x Id)) we get 
&T(Xi + (K„ x Id)){X) = 


{(in (inl(*)), in (mZ(*))) } U 


f (in (inr((x,xs))), 
{ in(inr((y,ys )))) 


*, 2/6 [cr], * 
(xs, ys) e X 


(29) 


The least and greatest fixpoints of this operator correspond 
to our original aims for ~^ Kl +(K„xid)) and ~v( Kl +{K a xid))- 
(Note that we never consider an infinite inductive list as 
being total.) 

It is still possible to show that what we have defined 
actually constitutes a family of PERs, but it takes a little 
more work. First note the two proof principles given by the 
definitions above: induction, 

VX C luFf . RT(F)(X) C X pRT(F) C X, (30) 


and coinduction, 


VX C \vFf . X C RT(F)(X) # X C uRT(F) . (31) 

Many proofs needed for this paper proceed according to 
a scheme similar to the following one, named IIICI below 
(Induction-Induction-Induction-Coinduction-Induction): 

• First induction over the type structure. 

• For inductive types, induction according to (30) and then 
induction over the functor structure. 

• For coinductive types, coinduction according to (31) and 
then induction over the functor structure. 


Using this scheme it is proved that ~ is a family of PERs 
[Dan05]. 


5.3 Properties 

We can prove that ~ satisfies a number of other properties 
as well. Before leaving the subject of recursive types, we note 
that 

* 2 / 4=> in x in y (32) 

and 

x ~ u f y 4=> out x vF out y (33) 

hold, as well as the symmetric statements where pF is 
replaced by vF and vice versa. This is proved using a method 
similar to IIICI, but not quite identical. Another method 
similar to IIICI is used to verify that ~ satisfies one of 
our initial goals: if cr does not contain function spaces, then 
x y iff x, y € dom(~ CT ) and x = y. 

Continuing with order related properties, it is proved 
using induction over the type structure that is monotone 
when seen as a function [cr ] 2 —> 1±. This implies that 
all equivalence classes are upwards closed. We also have (by 
induction over the type structure) that i dom(~ CT ) for 
almost all types a. The only exceptions are given by the 
grammar 

X--.= vId\yK x \uK x . (34) 

Note that [x] = { T } for all these types. 

The (near-complete) absence of bottoms in dom(~) gives 
us an easy way to show that related values are not al¬ 
ways equal: at most types [seq] ~ [Ax.Ay.y] but [seq] ^ 
[A*.Ay.y]. This example breaks down when seq is used at 
type x —> cr —> cr (unless dom(~ CT ) =0). To be able to prove 
the fundamental theorem below, let denote the language 


consisting of all terms from C\ which contain no uses of seq 
at type x -*• cr -> cr. 

Now, by using induction over the term structure instead 
of the type structure, and then following the rest of IIICI, it 
is shown that the fundamental theorem of logical relations 
holds for any term t in £[: if p(x) ~ p'(x) for all free 
variables a; in a term t, then 

ft P ~ M P- (35) 

The fundamental theorem is important because it implies 
that [t] € dom(~ ;T ) for all closed terms t : a in C[. In 
other words, all closed terms in denote total values. 
Note, however, that [fix] ^ dom(~) (at most types) since 
[Ax.*] € dom(~) and [fix (Ax.x)] = _L. 


5.4 Examples 

With moral equality defined we can prove a number of laws 
for ~ which are not true for =. As an example, consider 
77 -equality (combined with extensionality): 


V/,y 6 [<r —> t] . 

(Vx € [cr] . f@x = g@x) f = g. 


(36) 


This law is not valid, since the left hand side is satisfied by 
the distinct values / = _L and g = An.T. On the other hand, 
the following variant follows immediately from the definition 
of ~: 


V/, g € dom(~jj^) . 

(Vx € dom(~ a ). f@x ~ g@x) / 


(37) 


As another example, consider currying ( 1 ). The cor¬ 
responding statement, \curry o uncurry} ~ [*<Z], is easily 
proved using the fundamental theorem (35) and the 77 - 
law (37) above. We can also prove surjective pairing. Since 
p € dom(~ CTXT ) implies that p = (x,y) for some x 6 
dom(~ CT ) and y € dom(~ r ) we get [(fist t, snd f)] p = [t] p, 
given that [t] p € dom(~). 


6. Partial surjective homomorphism 

For the main theorem (Section 7) we need to relate values 
in ((cr)) to values in [~ CT ], the set of equivalence classes of ~ CT - 
Due to cardinality issues there is in general no total bijection 
between these sets; consider cr = (Nat —> Nat) —> Nat with 
Nat = p(K\ + Id), for instance. We can define a partial 
surjective homomorphism [Fri75] from ((cr)) to [~ CT ], though. 
This means that for each type o there is a partial, surjective 
function £ ((cr)) [~ CT ], which for function types satisfies 

(jr^ f) (j T1 X) = j T2 (fx) (38) 

whenever / e dom(j T1 ^ T2 ) and x € dom(j T1 ). (Here is 
the partial function space constructor and dom(/) denotes 
the domain of the partial function /. Furthermore we define 
[/] [x] = [f@x] , which is well-defined.) 

The functions j a £ ((cr)) [~ CT ] are simultaneously proved 

to be well-defined and surjective by induction over the 
type structure plus some other techniques for the (omitted) 
recursive cases. The following basic cases are easy: 

We{<rxr»AK X r] 

3axr (X,y) = [({>*}, {jrV})}, ^ ’ 

>+.6((cr + r))-K +r ] 

3tr.Fr inl(x) = [inl({j a x})] (40) 

j a+T inr(y) = [inr({j T y})] , 





3i *=[*]■ 


(41) 


Note the use of {•} to ease the description of these functions. 

It turns out to be impossible in general to come up 
with a total definition of j for function spaces. Consider 
the function islnfinite € ((CoNat —> Bool} (with CoNat = 
v{K\ + Id) and Bool = 1 + 1) given by 

islHfinite H = [ml otherwise! (42) 

(Here u> = [unfold inr *] is the infinite “natural num¬ 
ber”, True = inl(-k) and False = inr{ *).) Any surjective 
homomorphism j must be undefined for islnfinite. 

Instead we settle for a partial definition. We employ a 
technique, originating from Friedman [Fri75], which makes it 
easy to prove that j is homomorphic: if possible, let j T1 _, T2 / 
be the element g € [~ T1 ^ T2 ] satisfying 


{CoNat, islnfinite etc. are defined in Section 6 .) We get 
j islslnfinite = j (Af.False) (both defined), so j is not 
injective. In fact, no j which satisfies the main theorem (45) 
and uses the definition above for function spaces (43) can 
be injective. 


8. Category-theoretic approach 

Equation (46) above is useful partly because SET is a well- 
understood category. For those who prefer to work ab¬ 
stractly instead of working in SET, the following result may 
be a useful substitute. We define the category PER,., as fol- 

Objects The objects are types a (without any restrictions). 
Morphisms The morphisms of type a —> r are the elements 
of [~ <T _ >T ], i.e. equivalence classes of total functions. 
Composition [/] o [g\ = [Av.f@{g@v)]. 


Vx 6 dom(j T1 ). g {j T1 x) = j T2 (/ x). (43) 

If a g exists, then it can be shown to be unique (using 
surjectivity of j T1 ). If no such g exists, then let jVi->r 2 / 
be undefined. To show that j T 1 _ >T2 is surjective we use a 
lemma stating that ((cr)) is empty iff [~ CT ] is. 

The definition of j for inductive and coinductive types 
follows the idea outlined for the basic cases above, but is 
more involved, and we omit it here due to space constraints. 


This category is bicartesian closed, with initial algebras and 
final coalgebras for (at least) polynomial functors. All the 
laws that follow from this statement can be used to reason 
about programs. For instance, it should not be hard to 
repeat the total proofs from this paper using such laws. 

For this method to be immediately useful, the various 
constructions involved should correspond closely to those in 
the underlying language. And they do: 


7. Main theorem 

Now we get to our main theorem. Assume that t is a term 
in C\ with contexts p and p' satisfying 

p{x) e dom(~) A j p'{x) = [p{x)\ (44) 

for all variables x free in t. Then we have that j {(t )) p') is 
well-defined and 

i «W) rf- (45) 

This result can be proved by induction over the structure 
of t, induction over the size of values of inductive type and 
coinduction for coinductive types. The case where t is an 
application relies heavily on j being homomorphic. Note 
that the proof depends on the particular definition of j given 
in Section 6 ; if we wanted to use a different partial surjective 
homomorphism then the proof would need to be modified. 

As a corollary to the main theorem we get, for any two 
terms fi, f 2 : cr in C\ with two pairs of contexts pi, p\ and 
p 2 , p'l both satisfying the conditions of (44) (for t\ and f 2 , 
respectively), that 

{ti} Pi = # 2 > Pi => pij Pi ~ [fa] P 2 - (46) 

In other words, if we can prove that two terms are equal in 
the world of sets, then they are morally equal in the world of 
domains. When formalised like this the reasoning performed 
using set-theoretic methods, “fast and loose” reasoning, is 
no longer loose. 

If j had been injective, then (46) would have been an 
equivalence. That would mean that we could handle un¬ 
equalities ( 7 ^). The particular j defined here is not injec¬ 
tive, which can be shown using the function islslnfinite € 
({CoNat —► Bool) —> Bool} given by 

.^Infinite /-I?™’ ’ = *“*“"**• (47) 

I False, otherwise. 


Initial object The initial object is pld, with the unique 
morphism of type pld —> o given by [ipit]. 

Final object The final object is 1, with the unique mor¬ 
phism of type cr —► 1 given by [An.*]. Note that vld is 
isomorphic to 1 . 

Products The product of a and r is o x t. The projections 
are [[fst]] and [[snd]], and given [/] : 7 —+ cr and 
[<?] : 7 —> r the unique morphism which “makes the 
diagram commute” is [A v.{f@v,g@v)]. 

Coproducts The coproduct of cr and r is a + r. The 
injections are [[InlJ] and [[inr]], and given [/] : cr —> 7 
and [ g ] : r —► 7 the unique morphism which “makes the 
diagram commute” is [An. [case]@u@/@p]. 
Exponentials The exponential of r and cr is cr —> r. The 
apply morphism is [A(/, x).f@x], and currying is given 
by the morphism [A/ x y.f@{x, 1 /)]. 

Initial algebras For a polynomial functor F the corre¬ 
sponding initial E-algebra is {pF, [[in^F]]). Given the 
E-algebra [/] : F a —> cr, the unique homomorphism 
from [[in^ F ]] is [[foldF]®/]• 

Final coalgebras For a polynomial functor F the corre¬ 
sponding final E-coalgebra is {vF, [[ouCf]])- Given the 
E-coalgebra [/] : a —> E cr, the unique homomorphism 
to gout^f] is [[unfoldF]®/]. 

The proofs of these properties are rather easy, and do not 
require constructions like j. 

The partial surjective homomorphism j fits into the 
category-theoretic picture anyway: it can be extended to 
a partial functor to PER,, from the category which has 
types cr as objects, total functions between the correspond¬ 
ing set-theoretic domains (a} as morphisms, and ordinary 
function composition as composition of morphisms. The ob¬ 
ject part of this functor is the identity, and the morphism 
part is given by the function space case of j. 



9. Review of example 

After having introduced the main theoretic body, let us now 
revisit the example from Section 2. 

We verified that revMap = reverse o map ( Xx.x — y) is 
the left inverse of mapRev = map ( Xx.y + x) o reverse in a 
total setting. Let us express this result using the language 
introduced in Section 3. The type of the functions becomes 
ListNat —* ListNat, where ListNat is the inductive type 
+ ( K Nat x Id)) of lists of natural numbers, and Nat is 
the inductive type p(Ki + Id). Note also that the functions 
reverse, map, (+) and (—) can be expressed using folds, so 
the terms belong to Ci. Finally note that seq is not used at 
a type x — 5 * cr —;► a with _L £ dom(~ x ), so the terms belong 
to C [, and we can make full use of the theory. 

Our earlier proof in effect showed that 

(( revMap o mapRev )) [y i—> n] = {id} (48) 

for an arbitrary n £ {Nat}, which by (46) implies that 

[■ revMap o mapRev ] [y i—> n'] ~ ListNat^ListNat [id] (49) 

whenever n! £ dom(~jvot) and [ n'\ V j n for some n £ 
{Nat}. By the fundamental theorem (35) and the main 
theorem (45) we have that [t] satisfies the conditions for 
n' for any closed term t £ £'i of type Nat. This includes all 
total, finite natural numbers. 

It remains to interpret ~ListNat^>ListNat. Denote the left 
hand side of (49) by /. The equation implies that f@xs ~ 
ys whenever xs ~ ys. By using the fact (mentioned in 
Section 5.3) that xs ~ListNat ys iff xs £ dom(~Lj s( Ar a t) and 
xs = ys, we can restate the equation as f@xs = xs whenever 
XS £ dom(~ListiVat)- 

We want xs £ dom(~Lj st jvat) to mean the same as “ xs 
is total and finite”. We defined totality to mean “related 
according to in Section 5, so xs £ dom(~L ist jvot) iff xs 
is total. We have not defined finiteness, though. However, 
with any reasonable definition we can be certain that x £ 
dom(~ CT ) is finite if a does not contain function spaces or 
coinductive types; in the absence of such types we can define 
a function size a £ dom(~ CT ) —> N which has the property 
that size x' < size x whenever x' is a structurally smaller 
part of x, such as with x = inl(x') or x = in ( x’, x"). 

Hence we have arrived at the statement proved by the 
more elaborate proof in Section 2: for all total and finite 
lists xs and all total and finite natural numbers n, 

{(revMap o mapRev) as] [y i—> n] = [as] . (50) 

This means that we have proved a result about the partial 
language without having to manually propagate precondi¬ 
tions. At first glance it may seem as if the auxiliary argu¬ 
ments spelled out in this section make using total methods 
more expensive than we first indicated. However, note that 
the various parts of these arguments only need to be car¬ 
ried out at most once for each type. They do not need to be 
repeated for every new proof. 

10. Partial reasoning is sometimes 
preferable 

This section discusses an example of a different kind from 
the one given in Section 2; an example where partial rea¬ 
soning (i.e. reasoning using the domain-theoretic semantics 
directly) seems to be more efficient than total reasoning. 

We define two functions sums and diffs, both of type 
ListNat —> ListNat, with the inductive types ListNat and 
Nat defined just like in Section 9. The function sums takes 


a list of numbers and calculates their running sum, and diffs 
performs the left inverse operation, along the lines of 

sums [3,1,4,1,5] = [3,4,8,9,14], and (51) 
diffs [3,4,8,9,14] = [3,1,4,1,5] (52) 

(using standard syntactic sugar for lists and natural num¬ 
bers). The aim is to prove that 

{diffs o sums} = {id}. (53) 

We do that in Section 10.1. Alternatively, we can implement 
the functions in £2 and prove that 


for all total, finite lists xs £ \ListNat\ containing total, 
finite natural numbers. That is done in Section 10.2. We 
then compare the experiences in Section 10.3. 

10.1 Using total reasoning 

First let us implement the functions in C\. To make the 
development easier to follow, we use some syntax borrowed 
from Haskell. We also use the function foldr, modelled on 
its Haskell namesake: 

foldr : (<r —» (r —» r)) —» r 

-> p(Ki + {K„ x Id)) -► r 

foldr fx= (55) 

fold/c i ( k„ xid) (Ay.case y (X-.x) 

{Xp.f (fst p) (snd p))). 

The following is a simple, albeit inefficient, recursive 
implementation of sums: 


add : Nat —> ListNat —> ListNat 
add x ys = x : map (A y.x + y) ys. 

Here (+) and (—) (used below) are implemented as folds, in 
a manner analogous to (7) and (8) in Section 2. The function 
map can be implemented using foldr: 

map : (a —► r) — p(K x + [K a x Id)) 

- n(K! + (K T x Id)) (58) 

map f = foldr ( Xxys.f x : ys) []. 

The definition of diffs uses similar techniques: 


diffs : ListNat —> ListNat 
diffs = foldr sub [ ], 


sub x ys = x : toHead (A y.y — x) ys. y J 

The helper function toHead applies a function to the first el¬ 
ement of a non-empty list, and leaves empty lists unchanged: 
toHead : (Nat —> Nat) —► ListNat —> ListNat 
toHead f (y : ys) = f y : ys (61) 

toHead /[] = []. 


e fold fusion [BdM96], 


c,y. g {f x y) = f x (g y). 





(For simplicity we do not write out the semantic brackets 
((•}), or any contexts.) We have 
diffs o sums = id 

4=> {definition of sums, id = foldr (:) []} 
diffs o foldr add [] = foldr (:) [] 

<= {fold fusion} 
diffs [] = [] A 

Vx, ys. diffs (add x ys) = x : diffs ys. 

The first conjunct is trivial, and the second one can be 
proved by using the lemmas 

(A y.y -x)o (Xy.x + y) = id (63) 


In total languages inductive and coinductive types cannot 
easily be mixed; we do not have the same problem in partial 
languages. 

The corecursive definition of sums, 

sums : ListNat —> ListNat > 

sums xs = unfoldr next (0, xs), 

with helper next, 

next : (Nat x ListNat) 

—> (1 + (Nat x (Nat x ListNat))) . 

next (e, []) = ini * ; ! ' 

next (e, x : xs) = inr (e + x, (e + x, xs)), 


and 

diffs o map (Xy.x + y) = toHead (Xy.x + y) o diffs. (64) 
To prove the second lemma we use fold-map fusion [BdM96], 
foldr f e o map g = foldr (f o g) e. (65) 

We have 


should be just as easy to follow as the recursive one, if not 
easier. Here we have used the same definitions of (+) and (—) 
as above, and 0 is shorthand for in,v„,t (ini *). The definition 
of diffs, 

diffs : ListNat —> ListNat 
diffs xs = unfoldr step (0, xs), 


diffs o map (Xy.x + y) 

— {definition of diffs} 

foldr sub [ ] o map (Xy.x + y) 

— {fold-map fusion} 

foldr (sub o (Xy.x + y)) [] 

= {fold fusion, see below} 

toHead (Xy.x + y) o foldr sub [ ] 

— {definition of diffs} 

toHead (Xy.x + y) o diffs. 

To finish up we have to verify that the preconditions for fold 
fusion are satisfied above, 

toHead (Xy.x + ?/)[] = [], (66) 


with step, 

step : (Nat x ListNat) 

—> (1 + (Nat x (Nat x ListNat))) , 

step (e, []) = ini* ! " il 

step (e,x : xs) = inr (x - e, (x, xs)), 

is arguably more natural than the previous one. 

Now we can prove (54) for all total lists containing total, 
finite natural numbers; we do not need to restrict ourselves 
to finite lists. To do that we use the approximation lemma 
[HG01], 

xs = ys Vn € N. approx n xs = approx n ys, (74) 

where the function approx is defined by 


and 

\/y, ys. toHead (Xy.x + y) (sub y ys) = 

(sub o (Xy.x + y)) y (toHead (Xy.x + y) ys). 

The first one is yet again trivial, and the second one can be 
proved by using the lemma 

Az.z - y = (A2.2 - (x + y)) o (Xy.x + y). (68) 

10.2 Using partial reasoning 

Let us now see what we can accomplish when we are not 
restricted to a total language. Yet again we borrow some 
syntax from Haskell; most notably we do not use fix directly, 
but define functions using recursive equations instead. 

The definitions above used structural recursion. The pro¬ 
grams below instead use structural corecursion, as captured 
by the function unfoldr, which is based on the standard un¬ 
fold for lists as given by the Haskell Report [PJ03]: 

unfoldr : (r —> (1 + (a x r))) —> r 
p(K x + (K* x Id)) 

unfoldr f b = case (/ b) (69) 

(Ml) 

(Ap.fst p : unfoldr f (snd p)). 

Note that we cannot use unfold here, since it has the wrong 
type. We can write unfoldr with the aid of fix, though. 


approx € N —► \p(Kx + (K a x 7d))] 

- ln(Ki + ( Kfj x 7d))] 
approx 0 _ = -L 

approx (n + 1) _L = _L 
approx(n+ 1) [] = [] 

approx (n +1) (x : xs) = x : approx n xs. 


(75) 


Note that this definition takes place on the meta-level, since 
the natural numbers N do not correspond to any type in our 
language. 

We have the following (yet again ignoring semantic brack¬ 
ets and contexts and also all uses of @): 


V total xs containing total, finite numbers. 

(diffs o sums) xs = xs 

{approximation lemma} 

V total xs containing total, finite numbers. 

Vn € N. approx n ((diffs o sums) xs) = approx n xs 
{predicate logic, definition of diffs, sums and o} 

Vn € N. V total xs containing total, finite numbers. 
approx n (unfoldr step (0, unfoldr next (0, xs))) ee 
approx n xs 

4= {generalise, 0 is total and finite} 




Vn € N. V total xs containing total, finite numbers. 

V total and finite y. 

approx n (unfoldr step ( y , unfoldr next ( y , *s))) = 
approx n xs. 

We proceed by induction on the natural number n. The 
n = 0 case is trivial. For n = k + 1 we have two cases, 
xs = [ ] and xs = Z : zs (with z being a total, finite natural 
number, etc.). The first case is easy, whereas the second one 
requires a little more work: 
approx (k + 1) 

(unfoldr step (y, unfoldr next ( y , z : zs))) 

= {definition of unfoldr, next and step} 
approx (k + 1) 

({y + z)-y. 

unfoldr step ( y + z, unfoldr next (y + z, zs))) 

= {(y + z) — y = z for y, z total and finite} 
approx (k + 1) 

( z : unfoldr step (y + z, unfoldr next ( y + z, zs))) 

= {definition of approx} 
z : approx k 

( unfoldr step ( y + z, unfoldr next {y + z, zs))) 

= {inductive hypothesis, y + z is total and finite} 
z : approx k zs 
= {definition of approx} 
approx ( k + 1) (z : zs). 

Note that we need a lemma stating that y + z is total and 
finite whenever y and z are. 

10.3 Comparison 

The last proof above, based on reasoning using domain- 
theoretic methods, is arguably more concise than the pre¬ 
vious one, especially considering that it is more detailed. It 
also proves a stronger result since it is not limited to finite 

When we compare to the example in Section 2 we see 
that we were fortunate not to have to explicitly propagate 
any preconditions through functions in the domain-theoretic 
proof here, except in the penultimate step in the last case 
above. Notice especially the second step in the last case. 
The variables y and z were assumed to be finite and total, 
and hence the lemma (y + z) — y = z could immediately be 
applied. 

There is of course the possibility that the set-theoretic 
implementation and proof are unnecessarily complex. Note 
for instance that the domain-theoretic variants work equally 
well in the set-theoretic world, if we go for coinductive 
instead of inductive lists, and replace the approximation 
lemma with the take lemma [HG01]. Using such techniques 
in a sense leads to more robust results, since they never 
require preconditions of the kind above to be propagated 
manually. 

However, since inductive and coinductive types are not 
easily mixed we cannot always go this way. If we for example 
want to process the result of sums using a fold, we cannot use 
coinductive lists. In general we cannot use hylomorphisms 
[MFP91], unfolds followed by folds, in a total setting. If we 
want or need to use a hylomorphism, then we have to use a 
partial language. 


11. Strict languages 

We can treat strict languages (at least the somewhat odd 
language introduced below) using the framework developed 
so far by modelling strictness using seq, just like strict 
data type fields are handled in the Haskell Report [PJ03]. 
For simplicity we reuse the previously given set-theoretic 
semantics, and also all of the domain-theoretic semantics, 
except for one rule, the one for application. 

More explicitly, we define the domain-theoretic, strict 
semantics [•]_,_ by [cr] x = [cr] for all types. For terms we 
let application be strict, 

thhPf-L, (76) 

^ IT, otherwise. 

Abstractions are treated just as before, 

{Xx.tj ± p = Xv. ltj ± p[x (77) 

and whenever t is not an application or abstraction we let 

M±P = [£j P- 

We then define a type-preserving syntactic translation * 
on Ci, with the intention of proving that [£] x p = [£*J P- 
The translation is as follows: 

seq £2* (£i* £2*), £ = £1 £2, 

Xx.ti*, t = Xx.ti, (78) 

£, otherwise. 

The desired property follows easily by induction over the 

structure of terms. It is also easy to prove that ((£)) p = 

« n)P • 

Given these properties we can easily prove the variants 
of the main theorem (45) and its corollary (46) that result 
from replacing [•] with J-] x . The category-theoretic results 
from Section 8 immediately transfer to this new setting since 
the category is the same and [t] x ; »f£] for all closed terms 
£ not containing applications. 

12. Related work 

The notion of totality used above is very similar to that 
used by Scott [Sco76]. Aczel’s interpretation of Martin-Lof 
type theory [Acz77] is also based on similar ideas, but 
types are modelled as predicates instead of PERs. That 
work has been extended by Smith [Smi84], who interprets 
a polymorphic variant of Martin-Lof type theory in an 
untyped language which shares many properties with our 
partial language £2; he does not consider coinductive types 
or seq, though. Beeson considers a variant of Martin-Lof 
type theory with W-types [Bee82]. W -types can be used 
to model strictly positive inductive and coinductive types 
[Dyb97, AAG05]. Modelling coinductive types can also be 
done in other ways [Hal87], and the standard trick of coding 
non-strict evaluation using function spaces ( force and delay) 
may also be applicable. Furthermore it seems as if Per 
Martin-Lof, in unpublished work, considered lifted function 
spaces in a setting similar to [Smi84]. 

The method we use to relate the various semantic models 
is basically that of Friedman [Fri75]; his method is more 
abstract, but defined for a language with only base types, 
natural numbers and functions. 

Scott mentions that a category similar to PER^ is bi¬ 
cartesian closed [Sco76]. 

There is a vast body of literature written on the subject 
of Aczel interpretations, PER models of types, and so on, 
and some results may be known as folklore without having 




been published. This text can be seen as a summary of 
some results, most of them previously known in one form 
or another, that we consider important for reasoning about 
functional programs. By writing down the results we make 
the details clear. Furthermore we apply the ideas to the 
problem of reasoning about programs, instead of using them 
only to interpret one theory in another. This is quite a 
natural idea, so it is not unreasonable to expect that others 
have made similar attempts. We know about [Dyb85], in 
which Dybjer explains how one can reason about an untyped 
partial language using total methods for expressions that are 
typeable (corresponding to our total values). We have not 
found any work that discusses fast and loose reasoning for 
strict languages. 

Another angle on the work presented here is that we want 
to get around the fact that many category-theoretic isomor¬ 
phisms are missing in categories like CPO. For instance, one 
cannot have a cartesian closed category with coproducts and 
Hxpoints for all morphisms [HP90]. In this work we disallow 
all hxpoints except well-behaved ones that can be expressed 
as folds and unfolds. Another approach is to disallow recur¬ 
sion explicitly for sum types [BB91]. The MetaSoft project 
(see e.g. [BT83, Bli87]) advocated using “naive denotational 
semantics”, a denotational semantics framework that does 
not incorporate reflexive domains. This means that some hx¬ 
points (both on the type and the value level) are disallowed, 
with the aim that the less complex denotational structures 
may instead simplify understanding. 

A case can be made for sometimes reasoning using a con¬ 
servative approximate semantics, obtaining answers that are 
not always exactly correct [DJ04, discussion]. Programmers 
using languages like Haskell often ignore issues related to 
partiality anyway, so the spirit of many programs can be 
captured without treating all corner cases correctly. The 
methods described in this paper in a sense amount to us¬ 
ing an approximate semantics, but with the ability to get 
exactly correct results by translating results involving ~ to 
equalities with preconditions. 

There is some correspondence between our approach and 
that of total and partial correctness reasoning for imperative 
programs, for example with Dijkstra’s wp and wlp predi¬ 
cate transformers [Dij76]. In both cases, simpler approxi¬ 
mate methods can be used to prove slightly weaker results 
than “what one really wants”. However, in the w(l)p case, 
conjoining partial correctness with termination yields total 
correctness. In contrast, in our case, there is in general no 
(known) simple adjustment of a fast and loose proof to make 
a true proof of the same property. Nevertheless, the fast and 
loose proof already yields a true proof of a related property. 

Sometimes it is argued that total functional programming 
should be used to avoid the problems with partial languages. 
Turner does that in the context of a language similar to 
the total one described here [Tur96], and discusses methods 
for circumventing the limitations associated with mandatory 
totality. 

13. Discussion and future work 

We have justified reasoning about functional languages con¬ 
taining partial and infinite values and lifted types, including 
lifted functions, using total methods. Two total methods 
were described, one based on a set-theoretic semantics and 
one based on a bicartesian closed category, both using a par¬ 
tial equivalence relation to interpret results in the context 
of a domain-theoretic semantics. 

We have focused on equational reasoning. However, 


note that, by adding and verifying some extra axioms, the 
category-theoretic approach can be used to reason about 
unequalities (^). Given this ability it should be possible 
to handle more complex logical formulas as well; we have 
not examined this possibility in detail, though. Since the 
method of Section 7 (without injective j) cannot handle 
unequalities, it is in some sense weaker. 

It should be clear from the examples above that using 
total methods can sometimes be cheaper than partial ones, 
and sometimes more expensive. We have not performed any 
quantitative measurements, so we cannot judge the relative 
frequency of these two outcomes. One reasonable conclusion 
is that it would be good if total and partial methods could be 
mixed without large overheads. We have not experimented 
with that, but can still make some remarks. 

First it should be noted that ~ is not a congruence: 
we can have x ~ y but still have f@x f@y (if / ^ 
dom(~)). We can still use an established fact like x ~ y 
by translating the statement into a form using preconditions 
and equality, like we did in Section 9. This translation is easy, 
but may result in many nontrivial preconditions, perhaps 
more preconditions than partial reasoning would lead to. 
When this is not the case it seems as if using total reasoning 
in some leaves of a proof, and then partial reasoning on the 
top-level, should work out nicely. 

Another observation is that, even if some term t is written 
in a partial style (using fix), we may still have [t] 6 dom(~). 
This would for example be the case if we implemented foldr 
(see Section 10.1) using fix instead of fold. Hence, if we 
explicitly prove that [t] € dom(~) then we can use t in a 
total setting. This proof may be expensive, but enables us to 
use total reasoning on the top-level, with partial reasoning 
in some of the leaves. 

Now on to other issues. An obvious question is whether 
one can extend the results to more advanced languages 
incorporating stronger forms of recursive types, polymor¬ 
phism, or type constructors. Adding polymorphism would 
give us an easy way to transform free theorems [Rey83, 
Wad89] from the set-theoretic side (well, perhaps not set- 
theoretic [Rey84]) to the domain-theoretic one. It should be 
interesting to compare those results to other work involving 
free theorems and seq [JV04]. 

However, the main motivation for treating a more ad¬ 
vanced type system is that we want the results to be ap¬ 
plicable to languages like Haskell, and matching more fea¬ 
tures of Haskell’s type system is important for that goal. 
Still, the current results should be sufficient to reason about 
monomorphic Haskell programs using only polynomial re¬ 
cursive types, with one important caveat: Haskell uses the 
sums-of-products style of data type definitions. When sim¬ 
ulating such definitions using binary type constructors, ex¬ 
tra bottoms are introduced. As an example, + /d)J 

contains the different values in (inl( _L)) and in ( inl (*)), 
but since the constructor Zero is nullary the Haskell data 
type Nat from Section 2 does not contain an analogue of 
in (mZ(_L)). One simple but unsatisfactory solution to this 
problem is to restrict the types used on the Haskell side to 
analogues of those discussed in this paper. Another approach 
is of course to rework the theory using sums-of-products 
style data types. We foresee no major problems with this, 
but some details may require special attention. 
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